[Openstack] [barbican] Standalone Barbican Setup

Douglas Mendizábal douglas.mendizabal at rackspace.com
Wed Jan 25 20:37:21 UTC 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Naveed,

It is possible to deploy Barbican without Keystone, but you should
take care to secure access to the service by other means.

Typically, you would deploy Barbican and configure keystonemiddleware
to validate keystone tokens provided by the user.  The middleware
takes care of validating the token with the Keystone service and then
adds the user information it recieved to the request in the form of
new request headers. [1]

Barbican will look at the X-Project-Id, X-User-Id and X-Roles headers
in the request and apply the rules in policy.json [2] to decide
whether the user sending the request should be allowed to access a
secret or not.

Whatever non-keystone auth option you choose must add those same
headers to the request.

For example, I have deployed Barbican using Repose [3] instead of
keystonemiddleware to perform authN/authZ against my company's
identity service.  I then configured Repose to add the required
headers after validating the identity of the user.

Since barbican is only looking at the request after Repose processed
it, it made no difference that I was not using keystonemiddleware.

If you really don't want any kind of auth in front of Barbican (not
sure why you'd do this other than to kick the tires on the API) then
you can look at the no-auth setup in [4].

I hope that helps,
- - Douglas


[1]
http://docs.openstack.org/developer/keystonemiddleware/api/keystonemiddl
eware.auth_token.html#what-auth-token-adds-to-the-request-for-use-by-the
- -openstack-service
[2]
https://github.com/openstack/barbican/blob/master/etc/barbican/policy.js
on
[3] http://www.openrepose.org/
[4] http://docs.openstack.org/developer/barbican/setup/noauth.html

On 1/25/17 11:09 AM, Naveed A wrote:
> Hello,
> 
> Has anyone tried implementing barbican in standalone mode so that
> it is connected to HSM or KMIP but not using keystone? Would such a
> setup work?
> 
> 
> 
> _______________________________________________ Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post
> to     : openstack at lists.openstack.org Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJYiQyBAAoJEB7Z2EQgmLX7keEQAJBz8QEPrngmYyGGJZmRsDGl
RvufE1RnUZpyqWLNYUlip92QYJz5hlR24jSwcXYhKdn/p0TwYz3bw2Owu6k6XTzB
vEvyswad+qEU7IXP0/tMtjcWRiPLXvuZrniqhYuZ7Ivkv8WyMFQC3oddqUqkJXQl
YO0wjaDf4r3KYBUA8/bfEal3AdJ5OQjTchaQ6AbTEhqrRoOhKMAhh42vHNOzphs9
lhLTxqBfKW71uiK7NY9DOaJvTBD84TZmcD5/DQ64wvT2ELmrazCLvvtZ+AG/sIdd
9az4yH1LBfW9fwaHYuJZzJlUp8zgDdm3ZikkRwKLLjUSZlshXlfWXpAMOMuAx/OM
qejjKgxpoIO5HsJg02MKVOEP9WXoeC8jlfMqLlb9eDd3pFXNRHM16GVjiMegVt6j
hJJIRGm2AzWArsJRYchOqSE5ghsaK8jwzBPuZv/H5dCPTFuKthya6ir99j6BpSVL
CGv/XCunAq4LZKXtv2U4Txps5+QvFZ9nYkSOmLFn/0smspOqWporherG9Kdfy4dQ
UNQnlJ4O2HaAt4M1RPXFyLcweqYRfAKcKyHJ1L/nQBZghCWwtKnvhsDft+4TgdEG
rk/PDML9Ru7ylnGqgYzIkUy/l1rXUeWAEsUs/GjPdVvjIuoAanuTaefP9TBjccjT
9uJrpoasZJBrStSRIkMN
=cfGX
-----END PGP SIGNATURE-----




More information about the Openstack mailing list